Overview of Key Concepts with an Application to IT Controls in Performing an Audit of Internal Control Over Financial Reporting
Objective
To gain an understanding of the concepts in the new Auditing Standard #5 (AS 5) and their relation to IT controls in performing an audit of internal control over financial reporting.
Risk Assessment
Top-Down Approach
The complexity of the organization, business unit, or process, will play an important role in the auditor's risk assessment and the determination of the necessary procedures.
The auditor should focus more of his or her attention on the areas of highest risk.
It is not necessary to test controls that, even if deficient, would not present a reasonable possibility of material misstatement to the financial statements.
COSO stands for the Committee of Sponsoring Organizations. It is an organization whose mission is to improve financial reporting with a focus on ethics, effective internal controls, and solid corporate governance. The organizations that make up COSO are the American Institute of Certified Public Accountants (AICPA), the Institute of Internal Auditors (IIA), Financial Executives International (FEI), Institute of Management Accountants (IMA), and the American Accounting Association (AAA). In 1992, the COSO committee published their initial Internal Control Integrated Framework
Beginning in 2001, The COSO committee engaged PricewaterhouseCoopers (PwC) to develop the Enterprise Risk Management (ERM) framework using the 1992 model as the basis for their work.
The COSO model for assessing Internal Control has Risk Assessment as one of the 5 Pillars of COSO.
Operations Financial Reporting Compliance Control Environment Risk Assessment Control Activities Information & Communication Monitoring
Processes are the high level functions most often performed in any organization: Operations Financial Reporting Compliance Entity Levels are the strata most often found within organizations: Entity/Corporate Level Division Business Unit Subsidiary
and analysis of risks to the achievement of established business objectives and should form a basis to determine how the risks should be managed. As economic, industry, regulatory, and operating conditions change, mechanisms are required to identify and deal with the special risks associated with change.
High degree of automation in processing day-to-day transactions. IT data elements are primary source of information used in decision-making. IT availability and integrity are critical to financial statement closing and reporting processes. Risk of unwarranted reliance by management on IT systems and controls.
Description of IT Controls
Types of IT Controls:
1.
General Computer Controls General Computer Controls are the high level controls that typically impact all of the individual applications and data in the technology environment. These controls include Application Development, Change Control, Information Security, and Data Center Operations. These controls need to be documented, and potentially tested, each year. If there is a solid General Controls environment, it is easier to place more reliance on the Application Level controls.
2. Application Level Controls These are specific controls for the applications in use at the client. An example, is a systematic check to insure that duplicate invoices are not being paid by the AP system. The documentation and testing of these controls is based upon discussions with the audit engagement team. You may or may not address application controls each year.
A standard policy/procedure process and/or document exists that details the organizations methods for applying application, infrastructure, and system software changes. A standard change request record/form (electronic or paper) is used to document and track changes and approvals. All change requests are approved by the appropriate requesting management, as well as other impacted management (as defined by policies and procedures). Emergency changes are tested and approved by authorized management after implementation and follow outlined policies and procedures.
User administration procedures should be in place to address the requirements for granting, changing, and timely removing access to systems and applications, including remote access capabilities (i.e. the access request process and necessary manager approval). Unique user accounts are set up to provide user accountability for use of system resources. All exceptions should be documented and approved.
Minimum password standards are applied to restrict access (i.e. required password, minimum password length, password change standards, password composition standards, timeout, unsuccessful access attempts).
Access to the production environment (OS and application programs) is restricted by appropriate facilities (i.e. RACF, Native OS ACLs) and supports segregation of duties (i.e. programmers do not have access to modify code in production libraries, non-administration personal do not have access to root, administrator or RACF SPECIAL attribute).
Access to databases is authorized based on job responsibility (i.e. DBA has Oracle administration access) and access to manipulate database files through the OS is restricted by the appropriate facilities (i.e. RACF or native OS ACL). Access to sensitive facilities (access to master passwords, powerful utilities (including scheduling packages), and system manager facilities) is granted based on job responsibility. Audit logs (e.g. SU log) are in place to document user access to sensitive or powerful sensitive facilities and reviewed where appropriate. Firewall architecture is in place to protect access to internal systems from unauthorized external parties via untrusted networks (i.e. the internet). Intrusion Detection Systems are in place and are monitored periodically.
Management has defined and implemented a problem management process/system to ensure that operational events that are not part of standard operation (i.e. incidents, problems, and errors (e.g., processing abends)) are recorded, analyzed, escalated and resolved in a timely manner. System processing jobs and batch feeds are documented in the IT Operations Manual or other equivalent documentation. Daily operations checklists are used to assist in monitoring systems processing. Critical programs and data are identified by management. Backups of these critical programs and data are scheduled and performed. There is an off-site storage process and backups are removed.
Change Control
Information Security Data Center Operations
Application Controls
Input Controls
- Edit Checks - Input File Validation - Edit/Error Reports
Processing Controls
- Balancing Controls - Program Calculations - Processing Statistics
Output Controls
- Processing Reports - Output Files - Interfaces to Other Systems
Security Controls
- Application Level Security Controls
Are standard IT controls in place at the client location and do they appear to be in operation? Are the controls performed by persons possessing the necessary authority and competence to perform the control effectively? Procedures performed include a mix of inquiry of personnel, observation of the companys operations, and inspection of relevant documentation.
Walkthroughs that include the preceding page procedures are sufficient to evaluate the design effectiveness. A smaller, less complex company might achieve its control objectives in a different manner from a larger, more complex organization (i.e., less segregation of duties) and my implement alternative controls to achieve its control objectives. In such circumstances, the auditor should evaluate whether those alternative controls are effective.
Are standard IT controls as documented performing as expected throughout the audit period? The amount of testing evidence is directly related to the level of risk assessed for that control. The greater the level of risk the greater the level of evidence needed to evaluate the operating effectiveness of the control.
The IT environment has a direct impact on the level of assessed risk since many financial and operational controls are affected by IT controls. Procedures performed include a mix of inquiry of personnel, observation of the companys operations, inspection of relevant documentation, and the re-performance of a control.
Reliability of Evidence
Observation
Less Persuasive
Inquiry
Testing controls over a greater period of time provides more evidence of the effectiveness of controls than testing over a shorter period of time. Testing performed closer to the date of management's assessment provides more evidence than testing performed earlier in the year. The auditor should balance performing the tests of controls closer to the as-of date with the need to test controls over a sufficient period of time to obtain sufficient evidence of operating effectiveness.
In planning and performing the audit, however, the auditor is not required to search for deficiencies that, individually or in combination, are less severe than a material weakness.
The severity of a deficiency is based on the reasonable possibility concept vs. the magnitude of the potential misstatement.
Revises the definition of a significant deficiency (SD) to align with the definition the SEC has proposed. AS 5 encourages the use of auditor judgment in evaluating MWs and SDs. The goal is to move away from prescribed MWs and SDs based on the standard.
Certain automated controls may be dependent on other automated controls in order to function properly. Therefore, the auditor may need to evaluate the entire process and not just an isolated control.
The extent to which the application control can be matched to a defined program/module within an application. The extent to which the application is stable (i.e., there are few changes from period to period). The availability and reliability of information on the nature and timing of program changes. The program change process including the lockdown of the production libraries/directories.
As these factors indicate lower risk, the control being evaluated might be well-suited for benchmarking.
After a period of time, the length of which depends upon the circumstances, the baseline of the operation of an automated application control should be reestablished.
Questions ?
???????????????
Contact Information
Michael Pinna Director - IT Risk Services Weiser LLP (732) 475-2198 mpinna@weiserllp.com